njrat | 7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aa

General

Target

7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Size

1.1MB
MD5

31b7afde2580800384c2b296a8c75cf0
SHA1

b701fa73bb8cea5df5039cc716b5c71f0a6ee398
SHA256

7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aa
SHA512

832adb6d32ec5c9c55340c86bc0bd2a051f845a810e1f245ab06de5073284eb67478b7e7b628607bbb48bf5397cf91d87687570db6d72d35b45edf2e45df0b6a
SSDEEP

24576:7r2f/NRiXPAtK2spGtZN3S56QDAUR3WTtwb:7r4/6XD2spKZN3S51DH

Score

10^/10

njrat mdak evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

MDAK

C2

hakim32.ddns.net:2000

127.0.0.1:5552

Mutex

d79a7bbe5ad7316f83f8657ce4d4b26d

Attributes

reg_key
d79a7bbe5ad7316f83f8657ce4d4b26d
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

3000 netsh.exe
2860 netsh.exe
2880 netsh.exe
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource yara_rule

F:\system.exe net_reactor

pid	process
3000	netsh.exe
2860	netsh.exe
2880	netsh.exe

resource	yara_rule
F:\system.exe	net_reactor

Drops startup file 2 IoCs

Processes:

7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe

pid process

2508 7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe

pid	process
2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe

description	pid	process
Token: SeDebugPrivilege	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: 33	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: SeIncBasePriorityPrivilege	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: 33	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: SeIncBasePriorityPrivilege	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: 33	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: SeIncBasePriorityPrivilege	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: 33	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: SeIncBasePriorityPrivilege	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: 33	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: SeIncBasePriorityPrivilege	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: 33	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: SeIncBasePriorityPrivilege	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: 33	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: SeIncBasePriorityPrivilege	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: 33	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: SeIncBasePriorityPrivilege	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: 33	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: SeIncBasePriorityPrivilege	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: 33	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: SeIncBasePriorityPrivilege	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: 33	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: SeIncBasePriorityPrivilege	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: 33	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: SeIncBasePriorityPrivilege	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: 33	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
Token: SeIncBasePriorityPrivilege	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe

description	pid	process	target process
PID 2508 wrote to memory of 3000	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe	netsh.exe
PID 2508 wrote to memory of 3000	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe	netsh.exe
PID 2508 wrote to memory of 3000	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe	netsh.exe
PID 2508 wrote to memory of 2880	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe	netsh.exe
PID 2508 wrote to memory of 2880	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe	netsh.exe
PID 2508 wrote to memory of 2880	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe	netsh.exe
PID 2508 wrote to memory of 2860	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe	netsh.exe
PID 2508 wrote to memory of 2860	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe	netsh.exe
PID 2508 wrote to memory of 2860	2508	7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe
"C:\Users\Admin\AppData\Local\Temp\7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe"
1⤵
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\system32\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe" "7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:3000
- C:\Windows\system32\netsh.exe
  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2880
- C:\Windows\system32\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe" "7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aaN.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

F:\system.exe

Filesize
1.1MB

MD5
31b7afde2580800384c2b296a8c75cf0

SHA1
b701fa73bb8cea5df5039cc716b5c71f0a6ee398

SHA256
7afbab4dbc0296d849e6d1436377ece67d887dcaad96a364659f07d13cb8d1aa

SHA512
832adb6d32ec5c9c55340c86bc0bd2a051f845a810e1f245ab06de5073284eb67478b7e7b628607bbb48bf5397cf91d87687570db6d72d35b45edf2e45df0b6a

Download Submit
memory/2508-8-0x0000000000C90000-0x0000000000CA6000-memory.dmp

Filesize
88KB

Download
memory/2508-5-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-9-0x000007FEF52CE000-0x000007FEF52CF000-memory.dmp

Filesize
4KB

Download
memory/2508-4-0x0000000000FE0000-0x0000000000FF4000-memory.dmp

Filesize
80KB

Download
memory/2508-11-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-6-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-7-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-10-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-3-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-2-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-0-0x000007FEF52CE000-0x000007FEF52CF000-memory.dmp

Filesize
4KB

Download
memory/2508-12-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-13-0x0000000000FB0000-0x0000000000FCC000-memory.dmp

Filesize
112KB

Download
memory/2508-15-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-1-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-23-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-24-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads